Password Intelligence
We protect several million accounts and some of the world's largest corporations. Since adopting EPAS, none of these accounts have been reported as compromised because of insecure passwords.
It is an established fact that insecure, reused, and compromised passwords are one of the leading causes of security breaches.
A password alone is not inherently an insecure method of authentication. Like any other IT component, it requires testing and quality assurance to ensure it is secure.
The issue with passwords has been, until now, the lack of testing solutions, specifically to simulate the actions of an attacker attempting to crack them.
This was not due to a lack of password-cracking tools, but because revealing the plaintext password results in a privacy breach.
EPAS offers a unique approach by identifying and preventing insecure, reused, and compromised passwords without breaching users’ privacy.
This enables organizations to effectively eliminate all password-related vulnerabilities while continuing to use a proven, well-known, and well-supported authentication method.
EPAS is patented technology used on thousands of servers and identity management systems by several million enterprise users, in over 30 countries. Since using EPAS, none of these accounts have been reported as compromised because of insecure passwords.
Using extra security measures like MFA and risk-based authentication is still recommended to increase security. However, this can often be challenging, especially for legacy and OT systems or when the necessary technology changes lead to very high costs.
The implementation can also take a long time, leaving accounts open to password-related attacks.
Even when MFA is used, the password is usually one of the factors and must be properly secured.
EPAS provides immediate protection, for all passwords, whether used as the only factor or part of MFA. The EPAS appliance is set up within 24 hours, even in complex environments, and provides instant results, without installing any software on protected systems.
EPAS Audit represents the first solution to successfully address the challenge of conducting privacy-compliant password security assessments while simulating authentic attacks.
By executing the attack and evaluation within a sealed, secure environment, without storing or revealing the cleartext password, EPAS maintains full compliance with legal and privacy regulations.
Patents: USPTO 9,292,681 B2, EP 2767922A1
EPAS Enforcer offers an essential toolset to leverage the results and metrics produced by EPAS Audit, ensuring that insecure passwords are used again by blocking them during password changes. Enforcer is an optional add-on to EPAS Audit, and it supports several identity management systems, as well as Microsoft Active Directory, Windows O/S, MS Azure, UNIX systems, database engines, and custom applications.
Compromised credentials represent the most frequently exploited attack vector in password-related breaches. EPAS offers one of the largest and best curated password intelligence databases available today, utilized to both identify and prevent the use of compromised credentials. This data is gathered from human-led Threat Intelligence covering underground forums and the dark web, malware logs shared among malicious actors, and publicly available password breaches, such as Have I Been Pwned. Unlike other solutions, the dataset is available in plaintext, allowing EPAS to provide several unique features: the ability to determine if current passwords have been compromised across all supported systems—not limited to Active Directory—and the capacity to detect and block the use of passwords that are not only exact matches but also those that are slightly altered versions of compromised passwords. The data is refreshed on a regular basis.
Advanced criminals and state actors are increasingly using artificial intelligence to perform password attacks. EPAS employs AI to detect passwords vulnerable to such attacks. By using LLMs like GPT for machine learning to generate predictive word lists, combined with classic methods such as derivation rules, an improvement of 10% to 18% in the recovery rate can be observed.
Whether for enhancing security, remediation, or meeting regulatory standards, EPAS reports offer complete visibility into vulnerable credentials. These reports are frequently employed in internal audits and serve as evidence of compliance with strong authentication requirements in GRC.
EPAS is routinely deployed across multiple data centers, and across multiple countries. A central instance can serve dozens of data centers, thousands of servers, and millions of accounts. Multiple EPAS systems can be deployed to ensure high availability and failover.
EPAS is an on-premises or private cloud appliance solution. It can be deployed in single data centers to accommodate smaller enterprises or can be scaled up as required, extending across multiple data centers or locations, serving single or multiple tenants from a centralized location.
EPAS handles sensitive information, including user credentials and hashed password data. To guarantee the security of this data against external attacks as well as malicious internal use (e.g., modifying the system to display recovered passwords), the EPAS platform employs full encryption, TCG (Trusted Computing Group) technology sealing, independent and internal security testing, and follows a secure development process within a certified environment.
Detects weak, predictable, compromised, and reused passwords
Simulates all known types of attacks, from brute-force to leaks and AI
Does not expose or store the plaintext of recovered passwords
Is applicable to both existing, encrypted passwords, and to new ones
Prevents setting insecure passwords based on assessment metrics
Supports all enterprise systems, from mainframes to Active Directory
Protects both on-premises and cloud-based systems
Bundles one of world’s largest database of compromised credentials
Leverages latest generation of GPU-based hardware acceleration
Employs AI to identify passwords vulnerable to LLM-based attacks
Delivers enterprise grade reporting, metrics, and KPIs
Unlimited scalability across datacenters, countries, and cloud
Provides full automation and scheduling without human intervention
Provides APIs to integrate with SOC environments and 3rd party tooling
Integration with MS Entra ID, IBM RACF, CyberArk, OneIdentity IM, Micro Focus NetIQ
Readily available for MSP / MSSP use cases, with multi-tenant capability
Historical password quality analysis across custom account selection
Regional support centers in USA, Germany, Singapore, Australia
Custom reporting by splitting and merging target specific reports
Mature, trusted technology used by some of world’s largest corporations
Eliminate password-related security risks
Meet regulatory requirements for authentication and privacy
Optimize costs associated with identity management and authentication
Improve user experience when changing passwords
Coverage for legacy systems which do not support MFA
Compensatory controls for MFA or related regulatory requirements
Standalone hardware or virtual appliance, fully encrypted at all times
Uses Trusted Computing with TPM for tamper prevention
Fully isolated, with no external or Internet connection
Production-safe, uses only legitimate vendors APIs for extraction
Agent-less, does not install any software on audited systems
ISO27001 Certified development environment
Undergoes regular independent security assessments
The EPAS Enforcer plug-in is verified, certified, and digitally signed by Microsoft
Microsoft Active Directory Accounts
Microsoft Windows Local Accounts
IBM System z – zSeries – RACF z/OS, z/VM
IBM System i – iSeries – AS/400
IBM System p – pSeries – RS/6000
AIX IBM Lotus Domino Application Server
SAP NetWeaver – ABAP AS
BSD Operating System
Linux Operating System
Sun Solaris – SunOS
Apache Basic – htpasswd
LDAP Authentication Server
Apple macOS – Mac OS X
Cisco ISE – ASA – IOS – NX-OS
MongoDB System Accounts
MSSQL System Accounts
MySQL System Accounts
Oracle System Accounts
PostgreSQL System Accounts
Sybase ASE System Accounts
Bitwarden Password Vault
KeePass Password Vault
DB2 Database Custom Application
Informix Database Custom Application
MaxDB Database Custom Application
MSSQL Custom Database Application
MySQL Database Custom Application
Oracle Database Custom Application
PostgreSQL Custom Database Application
Sybase ASA Database Custom Application
Sybase ASE Database Custom Application
Microsoft Active Directory
Linux Accounts / PAM
Microsoft Windows Accounts
Microsoft Azure AD / Hybrid
Microsoft SQL Server
OneIdentity Identity Manager
Micro Focus NetIQ SSPR
Web-Based Password Management
Custom Applications
Server hardware: Intel Xeon architecture, custom OEM configuration
GPU acceleration: Current release is based on NVIDIA GeForce RTX 40 series
Redundancy: High availability and failover configurations available for all use cases
Encryption: FDE with HSM for operational data storage, TCG 2.0, discrete TPM module
Rack mounting: All models are built for standard full depth 19″ rack enclosures
Virtual appliance options: VMware vSphere, Microsoft Azure, Amazon AWS
Firm size: $70B+
O V E R V I E W
The customer needed to meet a variety of requirements in highly regulated environments in 25+ countries, as well as improve cyber resilience by strengthening authentication.
S O L U T I O N
The EPAS solution was deployed over the course of approximately four months, covering around 30 data centers and many heterogeneous systems, ranging from Microsoft Active Directory to UNIX, IBM Mainframe, and cloud platforms. EPAS has been running without interruption for the past 9 years, ensuring that passwords are secure and providing regulatory evidence in this respect.
C O N C L U S I O N
“EPAS is stable and secure. Easy to deploy and delivers what it promises. Support is also helpful. Feedback from the technicians is also positive. We will be happy to extend our agreement with them again.”
Download
Firm size: $10B
O V E R V I E W
The customer needed to meet a variety of requirements in a highly regulated environment, as well as improve cyber resilience by strengthening authentication. The bank wanted a solution to provide automation and monitoring to implement missing capabilities for compliance and regulatory needs.
S O L U T I O N
EPAS: “The thing I like most is the SOX and regulatory compliance in addition to the ease of use of the platform. From A to Z everything is documented, and custom implemented as needed.”
C O N C L U S I O N
“Understand the value in what password quality assurance really is. Also, understand how structural integrity of passwords relate to your business. Additionally, dig deep into the gaps of enforcing passwords in your environment such as through GPO or pam/cracklib configurations. You may assume there are no gaps, but I promise you as a security professional that there are.”
Download
Firm size: $30B+
O V E R V I E W
The customer needed to meet a variety of requirements for critical infrastructure across multiple continents, as well as improve cyber resilience by strengthening authentication.
S O L U T I O N
EPAS has been running without interruption since 2019, ensuring that passwords are secure and providing regulatory evidence in this respect. Quoting the project owner, “The functionality of EPAS is impressive. Integration and rollout were trouble-free, despite a very complex environment.”
C O N C L U S I O N
“Ask for a test of the solution. It is very likely that the results will satisfy you and provide you with substantive evidence to justify the need for the solution towards senior management.”
Download
Firm size: $1B
O V E R V I E W
The customer needed to understand password strengths, enforce strong passwords and manage compliance requirements.
S O L U T I O N
EPAS: “The solution has been implemented and is immediately showing benefits to managing password challenges and ensuring compliance is maintained. Pre-sales demos were also very comprehensive helping the stakeholders understand the capabilities and how they meet use cases. I cannot identify weaknesses in the engagement or the solution. A benchmark that other vendors should aim for in my view.”
C O N C L U S I O N
“Service was responsive and detailed when questions arose - from deep technical questions and how to. The responses were clear, with examples so that we could explain to non-technical people. The product is exceptional - does what it says on the tin. The reporting capabilities are endless and have met all uses cases.”
Download
Firm size: $10B
O V E R V I E W
The customer needed to meet a variety of requirements in a highly regulated environment, as well as improve cyber resilience by strengthening authentication.
S O L U T I O N
EPAS: “Very Powerful/Well Once learned, the product is very simple to use, and new scans can be configured within minutes. It can scan a wide variety of different OS/Systems including mainframe. The password scan reports provide all the information needed to close one of the easiest, but most dangerous security gaps. The tool had a higher-level overview report that can be used to provide evidence that your organization complies with any State and federal regulatory agencies that you may report too.”
C O N C L U S I O N
“Vendor provides excellent and well produced documentation on how the appliance works, the setup process, and configuration of scans. The Appliance is rock solid and has been running password scans in our environment nonstop for 5 years without any downtime or failure.”
Download
Firm size: $250M
O V E R V I E W
The customer needed to meet compliance requirements, to improve cyber resilience by strengthening authentication, as well as improve awareness training.
S O L U T I O N
EPAS has been running without interruption since 2016, ensuring that passwords are secure and providing regulatory evidence in this respect. Quoting the project owner, “First approved and certified solution for the automated quality analysis of passwords in the company, which can be installed and operated without any problems, and which also complies with data protection regulations (no problems with works council & Co.).”
C O N C L U S I O N
“Very good service from vendor especially in context of feature request and improvements top hardware support (got new hardware without request by reason of hardware improvements).”
Download